ACE Syntax:
< permit | deny > in < ip | ip-protocol-value > from any to < ip-addr > [/< mask > ] | > [ tcp/udp-ports] [cnt ]
< permit | deny >: Specifies whether to forward or drop the identified IP traffic type from the
authenticated client.
in: Required keyword specifying that the ACL applies only to the traffic inbound from the
authenticated client.
< ip | ip-protocol-value >: Options for specifying the type of traffic to filter.
ip: This option applies the ACL to all IP traffic from the authenticated client.
ip-protocol-value:
a protocol number or by
can substitute 6 for TCP or 17 for UDP. (Protocol numbers are defined in RFC 2780.
For a complete listing, refer to "Protocol Numbers" under "Protocol Number Assign-
ment Services" on the Web site of the Internet Assigned Numbers Authority at
www.iana.com.) Some examples of protocol numbers include:
1 = ICMP
2 = IGMP
6 = TCP
from any: Required keywords specifying the (authenticated) client source. (Note that a
RADIUS-Based ACL assigned to a port filters only the inbound traffic having a source
MAC address that matches the MAC address of the client whose authentication invoked the
ACL assignment.)
to : Required destination keyword.
< ip-addr >: Specifies a single destination IP address.
< ip-addr /< mask >: Specifies a series of contiguous destination IP addresses or all
destination IP addresses in a subnet. The < mask > is CIDR notation for the number
of leftmost bits in a packet's destination IP address that must match the corre-
sponding bits in the destination IP address listed in the ACE. For example, a
destination of 10.100.17.1/24 in the ACE means that a match occurs when an
inbound packet (of the designated IP type) from the authenticated client has a
destination IP address where the first three octets are 10.100.17. (The fourth octet is
a wildcard, and can be any value up to 255.)
any: Specifies any IP destination address. Use this option when you want the ACL
action to apply to all traffic of the designated type, regardless of destination.
Configuring a RADIUS Server To Specify Per-Port CoS and Rate-Limiting Services
•
Any IP address
Where the traffic type is either TCP or UDP, the ACE can optionally
■
include one or more TCP or UDP port numbers.
The following syntax and operating information refers to ACLs configured in
a RADIUS server.
This option applies the ACL to the type of IP traffic specified by either
or
tcp
udp.
17 = UDP
41 = IPv6
RADIUS Authentication and Accounting
The range of protocol numbers is 0-255, and you
6-41